BCS2014

Cyber Security

Lecture 5:
Cyber Security Standards and Controls
NIST Cybersecurity
Framework
Learning Objectives
• Understand the overall goal of the NIST Cybersecurity Framework
• Identify the Framework’s Core, Profile, and Implementation Tiers
• Explain how the NIST Cybersecurity Framework can be used by any
organization as a reference to develop a cybersecurity program

Copyright 2019 Pearson Education, Inc. 3

NIST Cybersecurity Framework
• A collection of industry standards and best practices to help
organizations manage cybersecurity risks
• Created in collaboration among the U.S. government, corporations,
and individuals
• Main goal is to address and manage cybersecurity risk in a cost-
effective way to protect critical infrastructure

Copyright 2019 Pearson Education, Inc. 4

About the Framework
• Provides a common guidance for organizations to be able to:
• Describe their current cybersecurity posture
• Describe their target state for cybersecurity
• Identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process
• Assess progress toward the target state
• Communicate among internal and external stakeholders about cybersecurity
risk

Copyright 2019 Pearson Education, Inc. 5

Parts of the Framework
• Framework Core:
• A collection of cybersecurity activities, outcomes, and
informative references that are common across critical
infrastructure sections
• Framework Profiles:
• Designed to help the underlying organization align its
cybersecurity undertakings with business requirements,
risk tolerances, and resources
• Framework Tiers:
• Designed to help organizations view and understand the
characteristics of their approach to managing cybersecurity
risk

Copyright 2019 Pearson Education, Inc. 6

Framework Core
• The framework core consists of the
five functions shown here
• Each of these functions has
categories, subcategories, and
informative references
• Categories group the elements of a
function into collections of outcomes
• Subcategories list specific outcomes of
activities
• Informative references point to industry
standards, guidelines, and practices

Copyright 2019 Pearson Education, Inc. 7

Identify Function Categories

Copyright 2019 Pearson Education, Inc.

8
Protect Categories

Copyright 2019 Pearson Education, Inc. 9

Detect Categories

Copyright 2019 Pearson Education, Inc. 10

Respond Categories

Copyright 2019 Pearson Education, Inc. 11

Recover Category

Copyright 2019 Pearson Education, Inc. 12

Framework Tiers
• Tiers describe how your risk
management practices align with
the characteristics defined in the
framework
• Each of the tiers has four
categories:
• Risk Management Process
• Integrated Risk Management
Program
• External Participation
• Cyber Supply Chain Risk
Management

Copyright 2019 Pearson Education, Inc.

13
Framework Coordination
• Three levels that should be engaged to coordinate the implementation
• Executive
• Business/Process
• Implementation/Operations
• Feedback Loops between Business/Process
and each of the other two levels

Copyright 2019 Pearson Education, Inc. 14

NIST Recommended Steps
1. Prioritize and scope
2. Orient
3. Create a current profile
4. Conduct a risk assessment
5. Create a target profile
6. Determine, analyze, and prioritize any gaps
7. Implement the action plan

Copyright 2019 Pearson Education, Inc. 15

Communication
• NIST Cybersecurity Framework
provides a common language to
communicate within or outside
your organization
• Buying decisions can be
influenced by your cybersecurity
posture

Copyright 2019 Pearson Education, Inc.

16
NIST Cybersecurity Framework Reference
Tool
• Enables you to navigate through the framework components and
references
• Provides a way to browse the Framework Core by functions,
categories, subcategories, and informative references
• Allows you to search for specific words and export the current viewed
data to different file types

Copyright 2019 Pearson Education, Inc. 17

Regulatory Compliance for
Financial Institutions
Learning Objectives
• Understand different financial institution cybersecurity
regulatory compliance requirements
• Understand the components of a GLBA-compliant
information security program
• Examine other financial services regulations, such as the
New York Department of Financial Services (DFS)
Cybersecurity Regulation
• Prepare for a regulatory examination
• Understand data privacy and new trends in
international regulatory compliance

Copyright 2019 Pearson Education, Inc. 19

Introduction
• A financial institution’s most significant asset is not money: It’s
information about money, transactions, and customers
• Protection of those information assets is necessary to establish the
required trust for the institution to conduct business
• Institutions have a responsibility to protect their client’s information
and privacy from harm such as fraud and ID theft

Copyright 2019 Pearson Education, Inc. 20

 The Gramm-Leach-Bliley Act (GLBA)

• Signed into law by President Clinton in 1999

• Also known as the Financial Modernization Act of 1999
• Meant to allow banks to engage in a wide array of financial services
• Banks can now merge with stock brokerage companies and insurance
companies, which means that they can possess large amounts of
private, personal client information

Copyright 2019 Pearson Education, Inc. 21

The Gramm-Leach-Bliley Act (continued)
• Title 5 of the GLBA specifically addresses protecting both the privacy
and the security of nonpublic personal information (NPPI)
• NPPI includes the following information:
• Names
• Addresses
• Phone numbers
• Income and credit histories
• Social Security numbers

Copyright 2019 Pearson Education, Inc. 22

GLBA’s Information Protection Directive
Components
• Privacy rule: Limits the institution’s disclosure of NPPI
to unaffiliated third parties
• Safeguards rule: Addresses confidentiality and
security of customer NPPI
• Pretexting protection: Refers to social engineering;
GLBA encourages organizations to train employees to
combat it

Copyright 2019 Pearson Education, Inc. 23

What Is a Financial Institution?
• “Any institution the business of which is significantly engaged in financial
activities as described in Section 4(k) of the Bank Holding Company Act (12 U.S.C.
§ 1843(k).”
• GLBA also applies to companies that provide financial products and/or services
such as:
• Automobile dealers
• Check-cashing businesses
• Consumer reporting agencies
• Credit card companies
• Insurance companies
• Mortgage brokers

Copyright 2019 Pearson Education, Inc. 24

What Are Interagency Guidelines?

• The dependence of financial institutions upon

information systems is a source of risks
• The Interagency Guidelines (IG) were created as a way
to mitigate those risks related to information being
compromised
• The IG require every covered institution to implement a
comprehensive written cybersecurity program that
includes administrative, technical, and physical
safeguards

Copyright 2019 Pearson Education, Inc. 25

Policies and Processes Required for Compliance
with IG

Copyright 2019 Pearson Education, Inc. 26

Involve the Board of Directors
• The board must approve the bank’s written cybersecurity program
• The board must oversee the development, implementation, and
maintenance of the program
• As corporate officials, the board has a fiduciary and legal responsibility
• Banks should provide board members with appropriate training on
cybersecurity
• The board may in turn delegate cybersecurity tasks to other roles and/or
committees

Copyright 2019 Pearson Education, Inc. 27

Assess Risk
• Risk assessments start by creating an inventory of all information
items and information systems
• Identifying threats is the next step
• Threat: Potential for violation of security
• Threat assessment: Identification of types of threats
• Threat analysis: Systematic rating of threats based upon risk and probability
• Threat probability: Likelihood that a threat will materialize
• Residual risk: The level of risk after controls have been implemented

Copyright 2019 Pearson Education, Inc. 28

Manage and Control Risk
• The cybersecurity program should be designed to control the identified risks
commensurate with the sensitivity of the information as well as the complexity
and scope of its activities
• The agencies recommend using the ISO standards as the framework for financial
institution information security programs

Copyright 2019 Pearson Education, Inc. 29

Training
• Institutions must implement ongoing cybersecurity awareness
program
• Staff should receive security training at least once a year
• Training can be instructor led or online
• Untrained staff are perfect targets for hackers!

Copyright 2019 Pearson Education, Inc. 30

Testing
• All controls must be tested
• Priority should be given to high-risk, critical systems
• Separation of duties applies to control testing
• Three most commonly testing methodologies
• Audit
• Evidence-based examination that compares current practices against internal or external criteria
• Assessments
• A focused privileged inspection
• Assurance test
• Measures how well controls work by subjecting the system to an actual attack

Copyright 2019 Pearson Education, Inc. 31

Oversee Service Provider Arrangements
• Financial institutions must ensure that service providers have
implemented security controls in accordance with GLBA
• Recommended oversight procedures:
• Conduct risk assessment
• Use due diligence when selecting third parties
• Implement contractual assurances regarding security responsibilities,
controls, and reporting
• Require nondisclosure agreements
• Provide third-party review of the service provider’s security through audits
and tests
• Coordinate incident response policies and contractual notification
requirements
• Review third-party agreements and performance at least annually

Copyright 2019 Pearson Education, Inc. 32

Adjusting the Program
• Effective monitoring involves both technical and non-technical
evaluations
• Change drivers include mergers and acquisitions, changes in
technology, changes in data sensitivity
• Cybersecurity policy should be reviewed at least annually

Copyright 2019 Pearson Education, Inc. 33

Reporting to the Board
• Should take place at least annually
• Should describe:
• The overall status of the cybersecurity program and the
organization's compliance with the interagency guidelines
• Should address:
• Risk assessment and management, control decisions, service
provider arrangements, employee training, independent
audits and testing, recommendation for change of the
program

Copyright 2019 Pearson Education, Inc. 34

What Is Regulatory Examination?
• Regulatory agencies are responsible for oversight and supervision of
financial institutions
• Exams are conducted every 12 to 18 months
• The exam includes evaluation of policies, processes, personnel,
controls, and outcomes
• Financial institutions are given a rating on a scale of 1 to 5, with 1
representing the best rating and 5 the worst rating with the highest
degree of concern

Copyright 2019 Pearson Education, Inc. 35

Personal and Corporate Identity Theft
• Personal identity theft: Someone possesses and uses any identifying information
that is not his with the intent to commit fraud or other crimes
• Name
• Date of birth
• Social Security numbers
• Credit card numbers
• Corporate identity theft: When criminals attempt to impersonate authorized
employees to access corporate bank accounts and steal money
• Known as corporate account takeover

Copyright 2019 Pearson Education, Inc. 36

Personal and Corporate Identity Theft (continued)
• Responding to identity theft: Supplement A, “Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and Customer
Notice” (“the guidance”)
• The guidance describes response programs, including customer notification
procedures, that a financial institution should develop and implement to address
unauthorized access to or use of customer information
• FTC supports identity theft criminal investigations and prosecution through its
Identity Theft Data Clearinghouse

Copyright 2019 Pearson Education, Inc. 37

Personal and Corporate Identity Theft (continued)
• Updated guidance on Internet banking safeguards was released October 2011
• Financial institutions are required to review and update existing risk assessment at least
every 12 months
• Financial institutions must implement a layered security model
• Financial institutions must offer multifactor authentication to commercial cash
management customers
• Financial institutions must implement authentication and transactional fraud monitoring
• Financial institutions must educate commercial account holders about risks associated
with online banking

Copyright 2019 Pearson Education, Inc. 38

Certification and
Accreditation
in Cybersecurity
 Accreditation
• Accreditation (or authorization to
process information) is granted by a
management official and provides an
important quality control. By
accrediting a system or application, a
manager accepts the associated risk.
Accreditation (authorization) must be
based on a review of controls

40
Certification
• Certification is the process of evaluating, testing, and examining
security controls that have been pre-determined based on the data type
in an information system. The evaluation compares the current
systems’ security posture with specific standards.

41
42
Benefits of Certification and Accreditation
• More consistent, comparable and repeatable certification of IT
systems.
• More complete, reliable information for authorizing officials – leading
to better understanding of complex IT systems and their associated
risks and vulnerabilities - and therefore, to more-informed decisions
by management officials
• Greater availability of competent security evaluation and assessment
services
• More secure IT systems within the federal government

43
Summary
• The NIST Cybersecurity Framework is a collection of industry
standards and best practices to help organizations manage
cybersecurity risks
• The framework consists of three parts: Core, Profiles, and Tiers
• The core consists of five functions: Identify, Protect, Detect,
Respond, and Recover
• Each function has categories, subcategories, and informative
references
• There are four tiers: Partial, Risk-Informed, Repeatable, and
Adaptive

Copyright 2019 Pearson Education, Inc. 44

Summary
• Each tier has four categories: Risk Management Process,
Integrated Risk Management Program, External Participation,
and Cyber Supply Chain Risk Management
• The recommended steps are:
1. Prioritize and Scope
2. Orient
3. Create a Current Profile
4. Conduct a Risk Assessment
5. Create a Target Profile
6. Determine, Analyze, and Prioritize any Gaps
7. Implement the Action Plan

Copyright 2019 Pearson Education, Inc. 45

Summary
• Requirements for IG compliance include: Involve the Board of Directors, Assess
Risk, Manage and Control Risk, Oversee Service Provider Arrangements, Adjust
the Program, and Report to the Board
• Regulatory exams are conducted every 12 to 18 months, with ratings given on a 1
(best) to 5 (worst) scale
• Guidelines are available for dealing with personal and corporate identity theft
through Supplement A, "Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice”

Copyright 2019 Pearson Education, Inc. 46

Summary
• The Gramm-Leach-Bliley Act (GLBA) of 1999 allows banks to engage in an array of
financial services
• GLBA addresses protecting the privacy and security of NPPI
• Seven federal agencies and the states have authority to administer and enforce
the Financial Privacy Rule and Section 501(b)
• Interagency Guidelines (IG) mitigate the risks of financial institutions depending
on information systems by requiring institutions to have comprehensive
cybersecurity programs

Copyright 2019 Pearson Education, Inc. 47